[strongSwan] Strong swan IKE issue.

Tobias Brunner tobias at strongswan.org
Tue Mar 20 08:45:57 CET 2018

Hi Andrii,

ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but
your problem is during Phase 2 (Quick Mode, IPsec SA).

> Remote side is not supporting pfs.
> IKE Phase One Parameters:	
> Encryption Algorithm: 	AES 256
> Hash Algorithm: 	SHA
> Authentication Method:	Pre-shared key
> Key Exchange:	Diffie Hellman Group 5
> IKE SA Lifetime: 	86400 (Cisco default)
> IKE Phase Two Parameters (IPSEC):	
> Authentication:	ESP with SHA-HMAC
> Encryption Algorithm: 	ESP-AES 256
> SA Establishment: 	ipsec-isakmp (IKE negotiated)
> IPSEC Mode	Tunnel (Cisco default)
> IPSEC SA Lifetime (time)	3600 seconds
> IPSEC SA Lifetime (volume) 	4608000 kilobytes
> PFS (Perfect Forward Secrecy)	No
> Optional encryption if requirements differ from above:	
> esp-3des esp-md5-hmac	
> esp-aes 256 esp-sha-hmac	
> esp-aes 128 esp-sha-hmac	
> This information I have from remote side. 

Looks like esp=aes256-sha1! should be correct then.  You could also try
esp=aes128-sha1! or esp=3des-md5! (not recommended though).  And if this
doesn't work, ask the remote admins for the correct settings (they
should see in the log why the proposal was rejected).

> Is it possible to se what offer remote side?

No (unless you do what ike-scan does i.e. try a number of possible


More information about the Users mailing list